Snubbed by Facebook, Security Researcher Hacks Zuckerberg's Page

Below:

Next story in Tech and gadgets

UPDATED Tuesday (Aug. 20) with news that
security researchers were raising money for Khalil Shreateh and
that Facebook was altering its bug-reporting procedures in
response to this case.

Frustrated that Facebook's security team wasn't taking him
seriously, a Palestinian computer researcher last week figured
out a different way to get the company's attention: He hacked
into Mark Zuckerberg's Facebook page.

Unfortunately, because he had to break Facebook's rules to prove
his point, the researcher, Khalil Shreateh of the town of Yatta
on the West Bank, won't be seeing any " bug
bounty " money from the company.

"Dear Mark Zuckerberg," read Shreateh's rogue posting on the page
of Facebook's founder, chairman and chief executive officer.
"Sorry for breaking your privacy and post[ing] to your wall, I
has no other choice to make after all the reports I sent to
Facebook team."

In a blog posting after the fact, Shreateh
recounted the story: He'd found a security flaw in Facebook
that allowed an attacker to post on anyone's wall or timeline.

But when he emailed Facebook's security team about it on
Wednesday (Aug. 14), Shreateh was rebuffed twice; the first time
for having sent a bad link to his proof, the second time with a
curt dismissal after he posted on the Facebook page of a woman
Zuckerberg knew in college.

"I am sorry this is not a bug," wrote a member of Facebook's
security team.

Sheatreh replied, "OK, that mean[s] I have no other choice than
report this to Mark himself on Facebook."

And so he did.

"Couple days ago I discovered a serious Facebook
exploit that allow users to post to other Facebook users
timeline while they are not in friend list," Sheatreh posted to
Zuckerberg on Thursday (Aug. 15), explaining his finding. "As you
see, I am not in your friend list and yet I can post to your
timeline."

"I appreciate your time reading this and getting some one from
your company team to contact me," Sheatreh concluded.

That got Facebook's attention. Almost instantly, Sheatreh
got a message on his Facebook page from a
different member of Facebook security. Then his Facebook
account was temporarily deactivated.

"When we discovered your activity we did not fully know what was
happening," another Facebook security staffer told Sheatreh.
"Unfortunately, your report to our Whitehat system [which
encourages bug reporting] did not have enough technical
information for us to take action on it."

Although Sheatreh's Facebook account was soon reactivated, he was
told he wouldn't qualify for Facebook's bug-bounty program, which
rewards researchers who find security flaws with payments ranging
from $500 to $5,000.

"We are unfortunately not able to pay you for this vulnerability
because your actions violated our Terms of Service" by making an
unauthorized posting to a member's page, the email message
Sheatreh received said. "We do hope, however, that you continue
to work with us to find vulnerabilities in the site."

To Sheatreh, who says on his blog that he's unemployed, this was
unfair.

"I could sell" the exploit in underground malware bazaars,
he told CNN in an interview. "I could
make more money than Facebook could pay me."

Reaction online was mixed.

"Although he was frustrated by the response from Facebook's
security team, Shreateh did the wrong thing by using the flaw to
post a message on Mark Zuckerberg's wall," wrote British security
expert Graham Cluley.

"I think there was some misunderstanding between you and [the]
Facebook Security Team," Pakistani computer researcher Mohammad
Talha Hassan commented in response to Sheatreh's screen grab of
Zuckerberg's page. "When I reported a security issue to them,
they kept me updated of all the progress and dealt with it
professionally. I personally think that you should have waited a
little more before publicly disclosing the issue."

But most of the comments on Sheatreh's page, as well as on news
reports about the issue, amounted to congratulations or
recommendations to that Facebook should hire Sheatreh.

If Sheatreh needs encouragement to do further research into
Facebook security, he needn't look far: Top Facebook hacker Nir
Goldshlager, who's received many Facebook bug bounties, lives
right over the border in Israel.

UPDATE: Security researchers upset that Facebook
won't pay Shreateh a bug bounty have begun to raise money on his
behalf.

"Khalil Shreateh found a vulnerability in Facebook.com and, due
to miscommunication, was not awarded a bounty for his work,"
wrote Marc Maiffret, chief technology officer of BeyondTrust, on
a GoFundMe page Maiffret created for
Shreateh. "Let us all send a message to security researchers
across the world and say that we appreciate the efforts they
make for the good of everyone."

Maiffret and Firas Bushnaq, who co-founded eEye Digital Security
with Maiffret, each kicked in $3,000. As of this writing, 68
donations have been made, most between $5 and $20, and the fund
has reached $8,800 with an ultimate goal of $10,000.

That's twice as much as the maximum Shreateh could have received
from Facebook for a single working exploit.

"He tried to report the bug responsibly, and we failed in our
communication with him," Sullivan wrote. "We were too hasty and
dismissive in this case. We should have explained to this
researcher that his initial messages to us did not give us enough
detail to allow us to replicate the problem."

"The breakdown here was not about a language barrier or a lack of
interest," Sullivan continues. "It was purely because the absence
of detail made it look like yet another misrouted user report."

As a result, Sullivan said, the Facebook security team would make
two changes: "improve our email messaging to make sure we clearly
articulate what we need to validate a bug" and "update our
whitehat page with more information on the best ways to submit a
bug report."